Rogue FTP service on TCP port 8998

Rogue FTP service on TCP port 8998: Posted by Rich Wales on December 7th, 2004; A Windows 2003 Server system I help administer was discovered
to have a rogue FTP service running on TCP port 8998.

(Please note that I said TCP, not UDP. As far as I can tell,
this system is =not= infected with any of the Sobig viruses.)

Here's a sample of the output I saw when I connected to TCP
port 8998 on this system. (I've falsified the "Your IP" address
for the sake of privacy, but the rest is copied verbatim.)

220-UNIX
220-.::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::
220-.::::: Hacked By : MysteryMan - CS-FXP
220-.::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::
220-.::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::
220-.::::: Your IP (logged) : 123.45.67.89
220-.::::: The Local time is 19:34:37
220-.::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::
220-.::::: This server has been running since
220-.::::: 0 Days, 9 Hours, 51 Mins, 11 Secs
220-.::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::
220-.::::: Logged in Users : 2
220-.::::: Max. Users : Unlimited
220-.::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::
220-.::::: Total Kb downloaded : 2 Kb
220-.::::: Total Kb uploaded : 0 Kb
220-.::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::
220-.::::: Average Speed : 0.000 Kb/sec
220-.::::: Current Speed : 0.000 Kb/sec
220-.::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::
220-.::::: Free Space : 885.09 MB
220-.::::: Enjoy Your Stay!
220 :::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::

I ran Symantec and SpySweeper scans, but neither program found
any infections.

Does anyone have any info about this infection? I couldn't find
anything at all about it on the Symantec or NAI virus sites.
Again, this is TCP port 8998 -- not the UDP port that was used
by the Sobig viruses.

Rich Wales richw@richw.org http://www.richw.org; Posted by Dr.X on December 7th, 2004; "Rich Wales" <richw@richw.org> wrote in message
news:20041207070024.Y66568.richw@whodunit.richw.or g...

Why would you think it is an infection? Perhaps it's just what it
appears to be. Some hacker knows of some vulnerability in the w2k3srv and
exploited it. It could easily be something like IIS being open to attack (by
either it's usual holes or a new exploit). The hacker simply tricked your
system into allowing an upload then got it to execute it.

I saw one not long ago that uploaded an ftp server package, set it as a
service, then forced a reboot. They appeared to expect to be able to use it
as a warez server. Look at the systems logs. See if there are any
unexplained reboots.

Note that none of this is going to be found by a virus scanner unless
the attacker used a virus to get him in.

Also, check for hidden directories. Specifically, \winnt\fonts\*

Don't use explorer to look for "folders" in \fonts. You won't see it.
You can only see directories there from a dos prompt.

Good luck.
-Dr.X; Posted by Dr.X on December 7th, 2004; "Dr.X" <drx@example.com> wrote in message
news:31lo4pF3dpa19U1@individual.net...
OOPS! forgot to ask, do you have a firewall? that's kinda important ;-P; Posted by John Coutts on December 7th, 2004; In all likelyhood your server has been compromised by a back door trojan (such
as one of the many Spybot worms). The FTP server was probably installed by the
hacker after the initial intrusion and could be a legitimate program such as
U-Serv.. Your main problem is not the FTP server, but the back door itself.
Unfortunately, anti-virus programs are not a very good defence against back
door trojans, as they are usually the result of an operating/network system
vulnerabilty.

HiJackThis can help you identify the back door, but after an intrusion, it is
sometimes difficult to tell what a hacker has done to your computer. He/she may
have even installed a second back door.

J.A. Coutts
************** REPLY SEPARATER ***************
In article <20041207070024.Y66568.richw@whodunit.richw.org> , richw@richw.org
says...
::::::::::::::::::::::::::::::::::::; Posted by David H. Lipman on December 7th, 2004; 1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt285.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
4) Reboot your PC into Safe Mode
5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, Stinger and Adaware
7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* * * Please report your results ! * * *

Dave

"Rich Wales" <richw@richw.org> wrote in message
news:20041207070024.Y66568.richw@whodunit.richw.or g...
| A Windows 2003 Server system I help administer was discovered
| to have a rogue FTP service running on TCP port 8998.
|
| (Please note that I said TCP, not UDP. As far as I can tell,
| this system is =not= infected with any of the Sobig viruses.)
|
| Here's a sample of the output I saw when I connected to TCP
| port 8998 on this system. (I've falsified the "Your IP" address
| for the sake of privacy, but the rest is copied verbatim.)
|
| 220-UNIX
|
220-.::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::
| 220-.::::: Hacked By : MysteryMan - CS-FXP
|
220-.::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::
|
220-.::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::
| 220-.::::: Your IP (logged) : 123.45.67.89
| 220-.::::: The Local time is 19:34:37
|
220-.::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::
| 220-.::::: This server has been running since
| 220-.::::: 0 Days, 9 Hours, 51 Mins, 11 Secs
|
220-.::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::
| 220-.::::: Logged in Users : 2
| 220-.::::: Max. Users : Unlimited
|
220-.::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::
| 220-.::::: Total Kb downloaded : 2 Kb
| 220-.::::: Total Kb uploaded : 0 Kb
|
220-.::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::
| 220-.::::: Average Speed : 0.000 Kb/sec
| 220-.::::: Current Speed : 0.000 Kb/sec
|
220-.::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::
::::::::::::::::::::::
| 220-.::::: Free Space : 885.09 MB
| 220-.::::: Enjoy Your Stay!
| 220
:::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::
:::::::::::::::::::::::
|
| I ran Symantec and SpySweeper scans, but neither program found
| any infections.
|
| Does anyone have any info about this infection? I couldn't find
| anything at all about it on the Symantec or NAI virus sites.
| Again, this is TCP port 8998 -- not the UDP port that was used
| by the Sobig viruses.
|
| Rich Wales richw@richw.org http://www.richw.org; Posted by xmp on December 12th, 2004; John Coutts wrote:
depends on the specific malware and esp. whether it's considered a legit
FTP server. some AV are good against trojans. IMHO Kaspersky is one of
these.

i'm sure there is other software, e.g. maybe a rootkit, that is being
used to keep admin on the server. again a decent AV can detect these.
if that fails, traditional manual techniques can clean it up.

michael; Posted by xmp on December 12th, 2004; it irritates me that people masquerade as admins, yet often have no idea
what the hell is running on the server.

michael; Posted by David H. Lipman on December 12th, 2004; :-)

Dave

"xmp" <xmp@example.net> wrote in message
news:2TPud.863$Yj4.300@newsread3.news.atl.earthlin k.net...
| it irritates me that people masquerade as admins, yet often have no idea
| what the hell is running on the server.
|
| michael

Similar Posts

Remote Access Service Failure on 1394 port (Help and Support) by CSS Tech
The service files in windows does not resolve the port name. (Microsoft Windows) by tricky.kids@gmail.com
Rogue dialers (Internet & Broadband) by Netty
FREE PHONSEX DATING - these girls are not paid - they call for phonesex with guys 8998 (Computer Hardware) by mbqgos@mindspring.com
Meet somone right now! - free phone sex dating service 8998 (Video & DVD) by pfiupk@hornysex.com